1

Currently we are evaluating a SAML solution as a corporate user authentication system.

The goal is to have only SAML as the main system without any redundancy of user data throughout different platforms.

Even if SAML authenticates the user how can the domino server create a session without mapping it to a user in the nab.

Is it somehow possible to have domino session without having the actual entry in the NAB?

And is it possible to retrieve group membership from SAML without having the actual group document in the nab?

Even if all of that works is it still possible to use these users and groups in the ACL and in readers and author fields?

user2316219
  • 304
  • 1
  • 11

1 Answers1

2

The combination of SAML, and configuring Directory Assistance on the Domino server to integrate with an LDAP service that is provided by your corporate systems would allow you to accept SAML credentials for users who do not have a Person document in the Domino Directory.

But no, you can't use SAML to retrieve group membership. You can't use SAML to retrieve anything. It's not a directory query mechanism. It's only an authentication mechanism that communicates trusted identity information. You can, however, configure Domino Directory Assistance to use an external LDAP source for groups, and your local groups, ACLs and Reader/Author fields can also refer to these users.

Richard Schwartz
  • 14,463
  • 2
  • 23
  • 41